Merge pull request #221 from YunoHost/fix-670-no-nginx-check-in-renew

[fix] Check ACME challenge conf exists in nginx when renewing a certificate

locales/en.json

@@ -264,5 +264,6 @@
     "certmanager_conflicting_nginx_file": "Unable to prepare domain for ACME challenge: the nginx configuration file {filepath:s} is conflicting and should be removed first",
     "domain_cannot_remove_main": "Cannot remove main domain. Set a new main domain first",
     "certmanager_self_ca_conf_file_not_found": "Configuration file not found for self-signing authority (file: {file:s})",
+    "certmanager_acme_not_configured_for_domain": "Certificate for domain {domain:s} does not appear to be correctly installed. Please run cert-install for this domain first.",
     "certmanager_unable_to_parse_self_CA_name": "Unable to parse name of self-signing authority (file: {file:s})"
 }

src/yunohost/certificate.py

@@ -323,8 +323,16 @@ def certificate_renew(auth, domain_list, force=False, no_checks=False, email=Fal
                 continue
 
             # Does it expire soon?
-            if force or status["validity"] <= VALIDITY_LIMIT:
+            if status["validity"] > VALIDITY_LIMIT and not force:
-                domain_list.append(domain)
+                continue
+
+            # Check ACME challenge configured for given domain
+            if not _check_acme_challenge_configuration(domain):
+                logger.warning(m18n.n(
+                    'certmanager_acme_not_configured_for_domain', domain=domain))
+                continue
+
+            domain_list.append(domain)
 
         if len(domain_list) == 0:
             logger.info("No certificate needs to be renewed.")
@@ -341,7 +349,7 @@ def certificate_renew(auth, domain_list, force=False, no_checks=False, email=Fal
             status = _get_status(domain)
 
             # Does it expire soon?
-            if not force or status["validity"] <= VALIDITY_LIMIT:
+            if status["validity"] > VALIDITY_LIMIT and not force:
                 raise MoulinetteError(errno.EINVAL, m18n.n(
                     'certmanager_attempt_to_renew_valid_cert', domain=domain))
 
@@ -350,6 +358,11 @@ def certificate_renew(auth, domain_list, force=False, no_checks=False, email=Fal
                 raise MoulinetteError(errno.EINVAL, m18n.n(
                     'certmanager_attempt_to_renew_nonLE_cert', domain=domain))
 
+            # Check ACME challenge configured for given domain
+            if not _check_acme_challenge_configuration(domain):
+                raise MoulinetteError(errno.EINVAL, m18n.n(
+                    'certmanager_acme_not_configured_for_domain', domain=domain))
+
     if staging:
         logger.warning(
             "Please note that you used the --staging option, and that no new certificate will actually be enabled !")
@@ -362,6 +375,7 @@ def certificate_renew(auth, domain_list, force=False, no_checks=False, email=Fal
         try:
             if not no_checks:
                 _check_domain_is_ready_for_ACME(domain)
+
             _fetch_and_enable_new_certificate(domain, staging)
 
             logger.success(
@@ -487,6 +501,17 @@ location '/.well-known/acme-challenge'
     app_ssowatconf(auth)
 
 
+def _check_acme_challenge_configuration(domain):
+    # Check nginx conf file exists
+    nginx_conf_folder = "/etc/nginx/conf.d/%s.d" % domain
+    nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder
+
+    if not os.path.exists(nginx_conf_file):
+        return False
+    else:
+        return True
+
+
 def _fetch_and_enable_new_certificate(domain, staging=False):
     # Make sure tmp folder exists
     logger.debug("Making sure tmp folders exists...")